ANI (Automatic Number Identification in North America is the 10-digit billing telephone number of the caller) was made available in 1967 to a business telephone customer for toll free circuits (800 or “Inward-WATS”) to inform the business telephone customer who was calling because the called business was paying the toll costs of the incoming call. ANI and Calling Number Identification (Caller ID) were made available as products to residential and small business telephone customers to provide them with the 10-digit telephone number of the calling party, and by the late 1980s in some cases the caller's name. Businesses such as banks, call centers, and government entities such as 911 service centers have relied on ANI information as a factor in identity determination; as an element in location discovery; and for call routing assistance, workflow efficiency, and fraud mitigation.
The ability to falsify ANI has been available for over a decade, but only to sophisticated and mostly regulated telecommunications carriers and very large business Users subscribing to expensive multi-line Primary Rate Interface (PRI) telephone circuits. ANI control has a legitimate use. As an example, a large business uses ANI control to display its main telephone number on all outgoing calls from its multiple lines.
The ability to falsify ANI stems from interaction of new technologies with legacy telecommunications architecture. Before the advent of information services network (e.g., Internet) telephony and deregulation, the telecommunications network was a closed system with one or both of a limited number of trusted FCC- and Public Utility Commission-licensed telecommunications companies adhering to a finite set of standards. Telecommunications decentralization and deregulation, as well as Internet telephony (Voice over Internet Protocol (VolP) technology), have exposed this legacy architecture to an abundance of new telephony products and services that inject calls and calling data from outside the control of the legacy telecommunications network. The telephony network then delivers to its destinations these calls and associated information, in most cases, without checking their validity. Consequently, this system supplies an opening for criminals to easily place calls with fabricated or “spoofed” ANIs for nefarious purposes. ANI fabrication or spoofing is a low cost, powerful penetration tool used to impersonate identity and location. Multiple companies and, more importantly, technologies exist for the sole purpose of enabling anyone, anywhere, to spoof ANI and Caller ID for pennies each call.
Throughout the past 25 years, telecommunication Users have relied on ANI and have built vital business processes around the incoming calling party telephone number. In addition, most businesses have developed sophisticated inbound telephone answering systems (known as IVR) that answer calls and are programmed with rules-based decision parameters grounded on the ANI. Now, relying on non-validated ANI undermines these critical marketing, technical, and security processes used for authentication, identity, location, and activation in today's financial services, general business, and government enterprises. As one specific industry example, major financial institutions now have compromised critical operations that were built upon the trustworthiness of ANI. Applications such as bank-card activation, credit issuance, money transfers, new account applications, and customer service have all relied on the layer of security ANI has provided. Decisions made using the current non-validated ANI place an enterprise at risk of diminished revenue by limiting new product offerings and increased losses from fraud. Attempted fraud exceeds $50 billion each year in the U.S. alone. Identity fraud is the key driver in these losses. Today, more bank card activation fraud occurs by telephone than by other remote banking channels combined (i.e., not face-to-face), such as ATM, e-mail, and world wide web.
There are several ways in which a motivated individual can take advantage of the current state of the art to manipulate ANI. VoiceXML applications let Users change ANI and Caller ID. An open source PBX software application, such as Asterisk, allows users to manipulate ANI. Competitive service providers and telecommunication carriers can set their own ANI. Moreover, certain companies exist today for the sole purpose of allowing ANI and Caller ID to be spoofed and falsified. Businesses such as Camophone, Telespoof, CovertCall, and dozens of others offer widely available ANI and Caller ID spoofing for pennies each call.
The consequences of prevalent, facile manipulation of ANI provide motivation to restore integrity to the use of ANI. One major consequence is financial fraud, which is on the rise and is driven primarily by identity fraud. Traditional financial services customer verification tools such as information-based authentication are being compromised. Most financial service companies use ANI as the apex identifier in their telephonic decision-making. If false trust is placed in spoofed ANI, downstream decisions are compromised. Decisions made using current non-validated ANI is placing companies at risk, limiting new product offerings, and increasing losses from fraud. The disclosed approach restores the value of ANI by reestablishing the security of telephone transactions.
There are more financial transactions conducted over the telephone than are conducted on the world wide web, even in today's Internet pervasive environment. Of the more than two billion telephone calls placed annually to U.S. financial institutions alone, nearly all rely on ANI for security, location information, call routing, and identity authentication. Knowing the caller's location or that the caller is in possession of an actual telephonic device is the foundation and an important factor for trusted telephone commerce.
A major nonfinancial consequence is criminal mischief. A Washington state man was sentenced to 30 months in prison, after using ANI spoofing to send SWAT teams to the houses of a dozen innocent, unknowing individuals.
The following is a chronological summary of the evaluation of ANI spoofing and legislative attempts to combat it.
In 2003, VoiceXML applications let Users change ANI, and, at the same time, VoIP telephony entered the marketplace. An open source PBX software application, called Asterisk, allows users to manipulate calling party number information. Asterisk is a software implementation of a telephone private branch exchange (PBX) originally created in 1999 by Mark Spencer of Digium. As an example, if the ANI field is left blank by the Asterisk or carrier switch, any user can easily manipulate the Caller ID information using Asterisk, thereby populating the ANI field with the same misinformation as the spoofed Caller ID. Asterisk allows Users to send spoofed ANI in the same way that businesses had been setting their ANI with PRI lines.
In 2004, a new ANI spoofing service, named Star38, (using VoIP and Asterisk) was launched and gained attention from worldwide mainstream media after USA Today published in its daily paper a front-page article about the service. The same year, others followed such as Camophone, Telespoof, and CovertCall. Over the next year, a dozen additional services started delivering ANI spoofing services.
By 2006, the FCC began investigations into these services, and the House of Representatives and the Senate considered several bills attempting to outlaw use of ANI spoofing for fraudulent purposes. ANI spoofing gained the attention of the mainstream media as SpoofCard announced the cancellation of an account belonging to Paris Hilton that was used to break into the voicemail of Lindsay Lohan to harass her.
On Jun. 27, 2007, the United States Senate Committee on Commerce, Science and Transportation approved and submitted to the Senate calendar Senate Bill S.704, which would have made spoofing ANI a crime. Titled the “Truth in Caller ID Act of 2007,” the bill would have outlawed causing “any caller identification service to transmit misleading or inaccurate caller identification information” via “any telecommunications service or IP-enabled voice service.” Law enforcement would have been exempted from the rule. A similar bill, HR251, was recently introduced and passed in the House of Representatives. It had been referred to the same Senate committee that approved S.704. The bill never became law because the full Senate never voted on it; it was added to the Senate Legislative Calendar under General Orders, but no vote was taken, and the bill expired at the end of the 110th Congress. On Jan. 7, 2009, Senator Bill Nelson (FL) and three co-sponsors reintroduced the bill as S.30, the Truth in Caller ID Act of 2009, which was the bill referred to the same committee in the Senate. The House of Representatives passed the Truth in Caller ID Act of 2010 in April 2010, but the bill has yet to be reconciled with the Senate version. The new bill states that Caller ID may not be spoofed to be intentionally misleading or inaccurate. No federal bill has yet to be signed into law. Several of the States have passed bills making misleading Caller ID spoofing illegal.
What is needed is a method to detect or report the accuracy and truthfulness of ANI.